Changes in request_token.rb

The RequestToken contains the bulk of the changes so it's easiest to
list it in it's entirety. Mainly we need to add support for the
oauth_verifier parameter and also tell the client that we support OAuth
1.0a.

This way the controller will automatically include bug fixes in future
versions of the plugin.

The rest of the changes are in the plugin and will be automatically be
included.

Note OAuth 1.0a removes support for callback url's passed to the
authorize page, clients must either define a callback url in their client
application or pass one on the token request page.

Supporting old OAuth 1.0 clients

If you absolutely have to support older OAuth 1.0 clients on an optional
basis, we now include a switch to turn it back on.

For legacy OAUTH 1.0 support add the following constant in your
environment.rb

OAUTH_10_SUPPORT = true

Note, you should only do this if you really positively require to support
old OAuth1.0 clients. There is a serious security issue with this.

Protecting your actions

I recommend that you think about what your users would want to provide
access to and limit oauth for those only. For example in a CRUD controller
you may think about if you want to let consumer applications do the create,
update or delete actions. For your application this might make sense, but
for others maybe not.

If you want to give oauth access to everything a registered user can do,
just replace the filter you have in your controllers with:

before_filter :login_or_oauth_required

If you want to restrict consumers to the index and show methods of your
controller do the following:

All of these places the tokens user in current_user as you would expect. It
also exposes the following methods:

current_token - for accessing the token used to authorize the current
request

current_client_application - for accessing information about which consumer
is currently accessing your request

You could add application specific information to the OauthToken and
ClientApplication model for such things as object level access control,
billing, expiry etc. Be creative and you can create some really cool
applications here.

OAuth Consumer generator

The oauth_consumer generator creates a controller to manage the
authentication flow between your application and any number of external
OAuth secured applications that you wish to connect to.

To run it in Rails 3 simply run:

rails g oauth_consumer

In previous versions:

./script/generate oauth_consumer

This generates the OauthConsumerController as well as the ConsumerToken
model.

Generator Options (Rails 2)

By default the generator generates ERB templates. The generator can instead
create HAML templates. To do this use the following options:

If you are using Mongoid you want to add an embeds_many association in your
user model:

embeds_many :consumer_tokens

Custom ConsumerToken models

Before creating the FireEagleToken model the plugin checks if a class
already exists by that name or if we provide an api wrapper for it. This
allows you to create a better token model that uses an existing ruby gem.

Currently we provide the following semi tested tokens wrappers:

FireEagle

Twitter

Agree2

These can be found in lib/oauth/models/consulers/services. Contributions
will be warmly accepted for your favorite OAuth service.

The OauthConsumerController

To connect a user to an external service link or redirect them to:

/oauth_consumers/[SERVICE_NAME]

Where SERVICE_NAME is the name you set in the OAUTH_CREDENTIALS hash. This
will request the request token and redirect the user to the services
authorization screen. When the user accepts the get redirected back to:

/oauth_consumers/[SERVICE_NAME]/callback

You can specify this url to the service you're calling when you
register, but it will automatically be sent along anyway.